AI systems are being deployed rapidly across security operations. What does the attack surface of an agentic AI system actually look like, and how fundamentally different is it from securing a conventional software application?
“Agentic AI expands the attack surface beyond anything we see in conventional software. Traditional software integrations are deterministic, with data flows that can be easily mapped and controlled with the right approach. Agentic AI is a totally different beast that creates its own connections and routes, making it difficult to predict or audit how information moves.
That unpredictability grows when agents start talking to one another and forming new connections between different systems. Multiple autonomous systems acting together can create very real unintended outcomes..
As we discussed in the recent SyncNI roundtable I chaired, attackers can automate, speed up, and scale up their operations. In that environment, an AI agent becomes less like a traditional application and more like a semi-autonomous operator inside the environment.”
Prompt injection attacks against AI agents are increasingly documented in research but rarely discussed in operational security circles. How seriously should defenders be taking this as a real-world threat right now, rather than a theoretical one?
“Prompt injection should absolutely be taken as a real-world threat. We tend to discuss prompt injection in a research context, pointing to the extreme cases where some very clever university researchers got an AI agent or LLM to do something wild.
However, as Ned Faulkner highlighted in the roundtable, prompt injection should be treated as an operational reality. AI-generated content is now fluent and context-aware, removing traditional cues that defenders once relied on.
Combined with the collapse in exploitation timelines, this creates a serious situation where malicious instructions embedded in data sources can directly influence system behaviour. Automation also makes exploitation cheap, and prompt injection becomes just another scalable control-channel attack.
Basically, if an AI agent can take action based on retrieved or contextual input, then prompt injection is already a live attack vector.”
If an AI agent is given access to sensitive systems and the ability to take autonomous actions, the consequences of it being manipulated or misbehaving are potentially catastrophic. What does "least privilege" mean in the context of an agentic AI, and are organisations thinking about this carefully enough?
“Least privilege in an agentic AI context means quite simply limiting what systems an AI can interact with, restricting what actions it can execute autonomously, and ensuring separation between decision-making and execution.
However, as raised by Joanne English from NI Cyber, the slow pace of board level decision making compared to the pace of change means many organisations are not yet structurally ready to even consider this
This is where strong observability tools come into play. Organisations need to have visibility to make sure they know how and where AI is being used, from sanctioned enterprise tools to ad-hoc experiments.
Monitoring data flows helps identify unapproved applications and contain agents before they spread. You need visibility into what’s actually happening, so you can start restricting unnecessary access and enforcing least privilege from the get go.”
There is a version of this future where AI security tools are so opaque that defenders can't audit what decisions were made or why. How do you think about explainability and auditability as security requirements in their own right, rather than just compliance concerns?
“Explainability and auditability should be treated as core security requirements.
When an AI system takes an action, organisations need to be able to reconstruct what and why it happened. Without that visibility, it becomes extremely difficult to investigate incidents or detect manipulation.
In the roundtable, Colin Metcalfe at TP ICAP emphasised the importance of visibility across increasingly complex environments, and that concern extends directly into AI systems that operate autonomously. This is particularly important as systems become more autonomous and decision making becomes less transparent. It is also just one way to ensure there is always a Human In The loop of any critical AI decision making.
When it comes to securing agentic AI, there are three key pillars of governance, observability, and oversight. I’ve already mentioned the importance of observability, but together, they’re the safeguards for operational trust in AI systems.
Governance sets the rules and access, observability shows what’s actually happening, and oversight is the human control keeping AI in check.”
Looking at the next 18 to 24 months specifically, what is the one development in the agentic AI space that you think the security industry is most dangerously underprepared for?
“The most underprepared risk is the emergence of interconnected agentic systems operating across enterprise environments without continuous human oversight.
AI agents are extremely capable of delegating tasks, making decisions, and executing actions across multiple platforms. The concern is the potential for compromised decisions at scale across interconnected agents.
This creates a new class of attack surface where exploitation is spread across multiple autonomous components, amplifying impact and reducing response time.
A human should always be in the loop to ensure guardrails are actually in place and being followed, and that technology is running with both context and accountability.
Training is a key factor here too. It should focus on how employees interact with AI tools, challenge them, and apply their output responsibly. Employees should understand when to trust a model’s output, when to question it, and when to step in.”
There is a documented shortage of Cyber professionals, how does Rapid7 address the skills gap and through continual learning ensure it remains at the cutting edge of Cyber defence?
“The challenge is less about a simple shortage of talent and more about how organisations identify and develop the right skills.
At Rapid7, this is strongly anchored in Belfast, where the company has built an AI Centre of Excellence focused on applying data science and machine learning to real-world security problems. This acts as a hub for ongoing innovation and practical skills development.
There is also increasing understanding that effective security teams are not built solely from traditional career paths. Instead, diverse backgrounds, cultures and ways of thinking will always produce stronger operational outcomes than narrow technical specialisation alone.
The focus therefore shifts toward hiring for attitude, curiosity, adaptability, and problem-solving ability, rather than just predefined skillsets. Continuous learning is also critical, as the threat landscape evolves faster than static training or certification based models can keep up with.
Rapid7’s internship programmes in Belfast bring emerging talent directly into engineering and security teams, providing hands-on experience in live environments rather than isolated training.
Overall, the approach combines academia, applied research, and early-career development alongside a totally open mind to build adaptable security professionals who can evolve alongside an increasingly AI-driven threat landscape.”
Read the Summer 2026 edition free online →
Stay connected with NI's tech community:
